The Maze ransomware cartel may have retired, but the ransomware problem is not going anywhere. The early retirement of the Maze operators didn’t surprise ransomware researchers. “There is a possibility that it’s not a shutdown but a rebranding,” Fedor Sinitsyn, senior malware analyst at Kaspersky told CyberNews.
Maze ransomware, which began operating last May, was probably the most prominent malware group that threatened businesses and large organizations.
This April, Cognizant was attacked by Maze ransomware. The company revealed that the cost of the attack could be up to $70 million.
“We do anticipate the revenue and corresponding margin impact to be in the range of $50 million to $70 million for the quarter," Cognizant CFO Karen McLoughlin said in the earnings call.
In August, Canon suffered a ransomware attack for which Maze claimed responsibility. Also, the operators of Maze ransomware have published tens of GB of internal data from the networks of LG and Xerox following two failed extortion attempts, ZDnet reported.
“What also makes Maze stand out, is the fact that it was probably the first group to create a data leak blog,” researchers at Kaspersky told CyberNews.
Last week, it was reported that the Maze cartel decided to retire early at the top of their game. This is not unprecedented. Last June, GrandCrab ransomware group retired after claiming to have earned $2 billion. That only illustrates that ransomware doesn’t cease to exist. It’s quite the opposite - cybercriminals innovate and find new ways to attack.
Maze affiliates have moved on
The Maze ransomware cartel is credited with revolutionizing the ransomware industry by using a double extortion tactic, where if a company didn’t pay the ransom, Maze would release that data online.
This has been adopted by other ransomware groups like REvil, Clop, and DoppelPaymer. Affiliates that worked with the Maze cartel are moving or have moved over to Egregor, BleepingComputer has learned.
The early retirement didn’t surprise cybersecurity researchers and experts, at all.
“We don't see anything surprising here. It is a typical tactic of ransomware developers to close down their project after gaining enough profit,” Fedor Sinitsyn, senior malware analyst at Kaspersky, told CyberNews.
Experts have seen this happening with GrandCrab, Shade ransomware, and others.
“In case closed-down ransomware is used to operate as ransomware-as-a-service (RaaS), the affiliates typically find another malware developer to collaborate with and continue their malicious activities with another trojan. Additionally, based on the code similarity between Maze and Egregor, there is a possibility that it’s not a shutdown but a rebranding,” Fedor Sinitsyn said.
What was so special about Maze ransomware?
This summer, there’ve been reports that ransomware gangs joined forces. The joined efforts of the criminals certainly tend to make them more dangerous.
“As an example, researchers discovered that these ransomware groups had exchanged expertise on security solution evasion. In these circumstances, the cooperation between security vendors and law enforcement is vital to combat the criminals more effectively,” senior malware analyst at Kaspersky told CyberNews.
CyberNews asked Fedor Sinitsyn to elaborate on what made Maze so special among other ransomware gangs.
He explained that Maze typically targeted large organizations and that their victims were from different spheres of industry, including IT, telecommunications, construction, energy sector, healthcare, finance, and others.
“The malware itself is heavily obfuscated, more so than most other ransomware families. This makes the analysis more challenging and time-consuming. What also makes Maze stand out, is the fact that it was probably the first group to create a data leak blog. It is a website where they list their victims and publish the data stolen from those of them who refused to pay the ransom,” he explained.
Based on the website run by the Maze operators, more than 100 organizations have been affected by this malware family since the first time it appeared back in 2019. The Maze gang was using Bitcoin to receive ransom payments.
Fedor Sinitsyn and his colleagues never recommend paying the ransom.
“Paying would only make the extortionists stronger and encourage the growth of the ransomware threat worldwide,” he told CyberNews.
It’s up to the companies themselves whether to pay the ransom. Sometimes, businesses assume that the possible damage might be bigger than the ransom, and decide to pay. Recently, Reuters reported that US travel giant CWT paid $4.5 million to cybercriminals.
Anyways, with or without the Maze gang, ransomware is not going anywhere. Senior researchers at CyberNews are convinced that ransomware (and ransomware groups in particular) is one of the most important, top-trending cybersecurity topics in 2020 and beyond.
The ransomware ‘industry’ is booming
As the ransomware ‘market’ has grown, it has become both more commercial and more professional, with new entrants to the market adopting many of the language and practices of the latest startups, CyberNews contributor Adi Gaskell writes.
Recently, Barbie maker Mattel reported that it was victim of a ransomware attack on its information systems. There has been no material impact on Mattel's operations or financial condition as a result of the incident, the company said in a quarterly report.
In September, a woman died in Duesseldorf University Hospital during a ransomware attack. She might be the first victim linked to a cyberattack on a hospital. A few weeks after, two dozen hospitals were hit by ransomware in the US.
These examples illustrate the huge increase in the number of ransomware attacks, observed by cybersecurity experts globally. In Q3 2020, Check Point Research saw a 50% increase in the daily average of ransomware attacks, compared to the first half of the year. The top ransomware types were Maze and Ryuk.
According to Check Point Research, the top 5 countries affected by ransomware in Q3 in terms of the number of attacks are the US (98.1% increase), India (39.2%), Sri Lanka (436%), Russia (57.9%), and Turkey (32.5%).